[Nitrokey HSM] Wrap failed with Not allowed

I have generated a keypair using pkcs11-tool --keypairgen -l --key-type rsa:1024 --id 123

pkcs15-tool --dump outputs the following:

PKCS#15 Card [NITROKEY HSM INTFRA1]:
Version : 0
Serial number : DENK0103471
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0x3], private, modifiable
Auth ID : 02
ID : 01
Flags : [0x812], local, initialized, exchangeRefData
Length : min_len:6, max_len:15, stored_len:0
Pad char : 0x00
Reference : 129 (0x81)
Type : ascii-numeric
Path : e82b0601040181c31f0201::
Tries left : 3

PIN [SOPIN]
Object Flags : [0x1], private
ID : 02
Flags : [0x9A], local, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0x00
Reference : 136 (0x88)
Type : bcd
Path : e82b0601040181c31f0201::
Tries left : 15

Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Auth ID : 01
ID : 0123
MD:guid : 16643ecc-e9bf-581d-e146-84138fddff8f

Public RSA Key [Private Key]
Object Flags : [0x0]
Usage : [0x51], encrypt, wrap, verify
Access Flags : [0x2], extract
ModLength : 1024
Key ref : 0 (0x0)
Native : no
ID : 0123
DirectValue :

When I try to export the key using sc-hsm-tool -W wrap.bin --key-reference 1 I get the following output:

Using reader with a card: Nitrokey Nitrokey HSM (DENK01034710000 ) 00 00
Enter User PIN :

sc_card_ctl(*, SC_CARDCTL_SC_HSM_WRAP_KEY, *) failed with Not allowed

Any ideas on how this could be resolved?

Did you initialize the device with a DKEK and imported the shares ?

See the blog for details.

sc-hsm-tool outputs the following so I think the DKEK is set up properly:

Using reader with a card: Nitrokey Nitrokey HSM (DENK01034710000 ) 00 00
Version : 3.4
Config options :
User PIN reset with SO-PIN enabled
SO-PIN tries left : 15
User PIN tries left : 3
DKEK shares : 1
DKEK key check value : 1A21FD526AC9A2BA

Did you specify or enter a PIN during export ?

Can you try the Smart Card Shell ?

Press CTRL-M to start the key manager and select “Export key and certificate” from the context menu attached to the key. You need to log in on the user pin’s context menu first.

Btw. it is also possible, that you have some other process running that resets the authentication state. Make sure to close those apps before.

As a last resort you could publish the log output when running the sc-hsm-tool command with

> OPENSC_DEBUG=9 sc-hsm-tool ....

@Matthias
Regarding the OpenSC log just a friendly reminder, that PIN could be logged there - please do not use any secret password for the case of debugging.

The VM we were using does not have a GUI so I switched to a different VM for this. Smart Card Shell shows the following error:

GPError: Card (CARD_INVALID_SW/27013) - “Unexpected SW1/SW2=6985 (Checking error: Condition of use not satisfied) received” in C:\Program Files\CardContact\scsh3\scsh\sc-hsm\SmartCardHSM.js#1334
at C:\Program Files\CardContact\scsh3\scsh\sc-hsm\SmartCardHSM.js#1334
at C:\Program Files\CardContact\scsh3\scsh\sc-hsm\HSMKeyStore.js#264
at C:\Program Files\CardContact\scsh3\keymanager\keymanager.js#2008
at C:\Program Files\CardContact\scsh3\keymanager\keymanager.js#2266

The debug output of sc-hsm-tool can be found at https://paste.ee/p/ZZfxr

Very strange and I can not offer a good explanation. When I try it myself it works are expected:

asc@caprese:~/share/projects/workspace_scsh$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 --label mytoken
Using reader with a card: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511822601851) 00 00
asc@caprese:~/share/projects/workspace_scsh$ sc-hsm-tool
Using reader with a card: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511822601851) 00 00
Version              : 3.4
Config options       :
  User PIN reset with SO-PIN enabled
SO-PIN tries left    : 15
User PIN tries left  : 3
DKEK shares          : 1
DKEK import pending, 1 share(s) still missing
asc@caprese:~/share/projects/workspace_scsh$ sc-hsm-tool --import-dkek-share passwd.pbe 
Using reader with a card: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511822601851) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 1
DKEK key check value : 6C809AF3E07A1CE0
asc@caprese:~/share/projects/workspace_scsh$ pkcs11-tool --keypairgen -l --key-type rsa:1024 --id 123
Using slot 1 with a present token (0x4)
Logging in to "mytoken (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      Private Key
  ID:         0123
  Usage:      decrypt, sign, unwrap
  Access:     none
Public Key Object; RSA 1024 bits
  label:      Private Key
  ID:         0123
  Usage:      encrypt, verify, wrap
  Access:     none
asc@caprese:~/share/projects/workspace_scsh$ sc-hsm-tool -W wrap.bin --key-reference 1
Using reader with a card: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511822601851) 00 00
Enter User PIN : 

asc@caprese:~/share/projects/workspace_scsh$ ls -la wrap.bin
-rw-r--r-- 1 asc asc 996 Okt  3 10:54 wrap.bin

There are three conditions in which the wrap APDU return 6985:

  • The key to be wrapped has a key use counter (not applicable here)
  • The key is not associated with a key domain (does not apply as with OpenSC all keys are associated with the key domain created during initialization)
  • If the key domain is not yet ready (i.e. fully initialized, DKEK share missing)

Can you try to repeat the full sequence of command with sc-hsm-tool and the Smart Card Shell ?